LDAP and YubiKey auth - or a tale of love and suffering [discontinued]

Preamble

I have been trying to get the YubiKey auth system at my workplace sane - without success. Each instance had to get configured separately to make use of the YubiKey 2-factor auth, and it got on my nerves, so I decided - hey, let's make a centralized LDAP auth server with YubiKey support! That was the moment when I lost my sanity.

I'm thinking - hey, Debian is stable, AND it's officially supported by YubiCo! It can't be that hard to do a simple prototype setup! So, I started doing whatever it took to get a PAM module for the YubiKeys. It took me almost 3 hours to figure out all the dependencies, get all the dependencies of those dependencies, etc. I compiled from source, since the YubiKey PAM module in the official Debian repos is too old to be used with the custom LDAP schema for YubiKeys - that's right, they don't really support LDAP after all!

"YubiCo recommends that you store the YubiKey ID in one of the unused fields - like favourite colour" - fuck that.

And then I began trying to configure LDAP. That's when the shit-coaster really started moving. The official guide on the Debian wiki failed after the third command.

I switched to a more sane system - Gentoo. Perhaps it'll be better. "Install Gentoo", that's what they always say. Gentoo's documentation is always top-notch! Well, it's better than Debian's - do note that different repositories implement OpenLDAP differently, so paths will be different on your system if it's not Gentoo.

I have survived a YubiKey LDAP server install. This is my story.

OpenLDAP time!

So, at this point, I am assuming that you have a functioning Gentoo system in your hands - first, we are going to need to set some USE flags. Add the following to /etc/portage/package.use/default:

net-nsd/openldap -minimal sasl gnutls

After that's done, emerge --ask openldap, check the dependencies and hit Y. Sit back for a while. We are going to follow the Gentoo Handbook in some cases, in some cases, we won't. First, we are going to place the YubiKey schema and ldif inside the folder /etc/openldap/schema by issuing

cp yubikey.* /etc/openldap/schema/

You need to first generate a password hash for the LDAP root, do so with the slappasswd command, then open /etc/openldap/slapd.conf with your favorite editor. We are going to make the following changes:

(Put a tab where I put a -> because markdown a shit) This will give the actual root user on the LDAP host access to the configuration later.

After we do this and try to run the next command in the Gentoo Handbook,

slaptest -v -d 1 -f /etc/openldap/slapd.conf

it will fail. It's because Gentoo generates some garbage in LDAP's in /var/lib/openldap-data or whatever your directory is. Go there and rm -rf that entire folder. We are going to recreate it soon.

Since there is thing called OLC which is apparently the new way of doing things in LDAP, we will do it that way. Follow the handbook:

mkdir /etc/openldap/slapd.d

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

chown -R ldap:ldap slapd.d

Bit of a note here - there are some things which LDAP really hates and one of those things is ownership. Always ensure that /etc/openldap and your directory is owned by ldap:ldap.

So, the following command has generated us with an OLC structure thing. Next step, add this to /etc/conf.d/slapd:

OPTS="-F /etc/openldap/slapd.d -h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

After that's done, if it does not exist, create the /var/lib/openldap-data structure. Remember to chown it to ldap:ldap and to chmod it to 700.

Now we will create the database files. Copy the DB_CONFIG.example at /etc/openldap/DB_CONFIG.example to the directory (default /var/lib/openldap-data) and rename it to DB_CONFIG. Finally, do:

/etc/init.d/slapd restart

If it fails for some reason, do chown to ldap:ldap on /etc/openldap/slapd.d and directory.

Setting up a (test) client.

First, we test our own client - we have to config it a bit. In the file /etc/openldap/ldap.conf:

BASE dc=flooby,dc=tech,dc=com
URI ldap://localhost:389/
TLS_REQCERT allow
TIMELIMIT 2

After that, issue:

ldapsearch -x -D "cn=Manager,dc=flooby,dc=tech,dc=com" -W

If it works - you should get 'No such object', you're all set!

Adding data to LDAP

Generally, I don't like dealing with LDAP that much. I much prefer adduser/useradd over whatever ldapadd command I have to give with it's cryptic format. It's better to use MigrationTools in my opinion.

First, we have to install some Perl libraries:

emerge --ask dev-perl/Convert-ASN1 dev-perl/perl-ldap

Then we can get on with it:

wget http://www.padl.com/download/MigrationTools.tgz
tar xf MigrationTools.tgz
cd MigrationTools*
wget http://static.notx.ml/files/make_master.sh
./make_master.sh

Follow the instructions. After that, you should try the ldapsearch command that is above. Now it just works! Yay!

YubiKey integration